Questions on `PF_HOSTNAME` resolution and IP address conflict

[qdm12]

Hi there! I have two questions about PF_HOSTNAME

1. What DNS server address should be used to resolve the server hostname to a valid IP address?
2. I had the case where the private IP address resolved would conflict with a local IP address in the same network, do you have any solution to this? Would you consider having a public IP address endpoint for your API perhaps?

Thanks!!

[g00nix]

@qdm12 Thank you for your questions.

What DNS server address should be used to resolve the server hostname to a valid IP address?

None. DNS queries should be avoided for privacy reasons. The hostname is used only to make sure the CN in the server certificate is correct, as an extra security check.

I had the case where the private IP address resolved would conflict with a local IP address in the same network, do you have any solution to this? Would you consider having a public IP address endpoint for your API perhaps?

Which private IP address are you having a conflict with?

[qdm12]

Well it's some of my users (of https://github.com/qdm12/gluetun) that have their lan network or docker network conflicting with the port forwarding private IP address for your API.

Why not have the API available through a public IP address with TLS (and without a domain name if you feel that's necessary, although getting your token etc goes through privateinternetaccess.com so I don't see the point at least for port forwarding).

[g00nix]

I understand now. You would like us to centralize the PF API. Sadly we can't due that, because this is a privacy service.

Regarding the IP conflict, the subnet 10.0.0.0/8 is reserved for VPN purposes.

I am sorry for the trouble this is causing. This is not something that we can change at the moment.

[qdm12]

Sadly we can't due that, because this is a privacy service.

Does it actually make sense? You get the token from https://privateinternetaccess.com so I don't really see what's different with the getSignature call privacy-wise :thinking: I guess the getSignature call is specific to a certain VPN server then, right?

Going back to the DNS query, in your scripts, you precise PF_HOSTNAME which is not an IP address (here).

My program uses DNS over TLS and ignores the VPN-pushed DNS addresses so it's not aware of the private VPN server hostname. I would like to configure a specific DNS server address for the custom PIA HTTP client (only used with your APIs) to resolve the VPN server name to an IP address. So do you have a particular DNS server address to resolve this PF_HOSTNAME to an IP address? Thanks! :+1: